The State of Information-Sharing

In the wake of increased cyber-crime incidents and fraud worldwide, government and private-sector organizations are calling for formal information-sharing initiatives to help improve security defenses.

In February, U.S. President Barack Obama issued an executive order aimed at promoting private sector cybersecurity information-sharing.

And in March, the U.S. Financial Services Information Sharing and Analysis Center participated in a cybersecurity summit in Bengaluru, focused on the topic of growing information-sharing initiatives in India. At this event, Denise Anderson, vice president of government and cross-sector programs at FS-ISAC, spoke of India's challenge.

"While there is no regulated body or structured way of sharing cybersecurity information in India, I see bodies like CERT-In, IDRBT and practitioners from the banking sector forming an information sharing forum," Anderson said.

But how prepared are India's private- and public-sector entities to engage in formal information-sharing programs?

Many security leaders across India express the need for having a formal information sharing platform across sectors to enable security teams to prevent or defend cyber-attacks. Yet, at the same time, security heads are cautious about sharing information through informal channels, fearful that it might be misused.

"To make information sharing a reality," says Vinayak Godse, director of the Data Security Council of India, "security practitioners should first believe that it is a collective learning mechanism to understand an enterprise's security preparedness against cyber-attacks."

State of Information Sharing

Although many in India's security industry realize the importance of information-sharing and consider it vital in building a resilient infrastructure, some argue that there is no structured mechanism in the country, particularly in the financial sector.

In the light of increasing fraud incidents in the Indian financial, the Reserve Bank of India in 2012 recommended the formation of a dedicated cell akin to the FS-ISAC under the aegis of IDRBT for monitoring threats and for disseminating security information throughout the financial services community.

Per the guidelines, IDRBT has developed a Security Incident Tracking Platform where banks would be able to report security incidents in an anonymous manner. The platform will be hosted on the INFINET and the access provided only to chief information security officers of respective banks. IDRBT is simultaneously making arrangements to gather global threat intelligence from various sources in coordination with CERT-In.

Bengaluru-based K S Narayanan, CISO at ING Vysya bank, has been involved in these initiatives. But he says that information-sharing to this point has been restricted to banking and has not spread to other sectors.

"Banks seem to be quite advanced in sharing of information, while other financial services players like insurance, NBFCs (non-banking financial companies) do not have a formal information sharing platform, which is vital to share information against cyber-attacks," Deodhar says.

Godse of DSCI says that CERT-IN has been compiling information about cybersecurity threats and attacks in the country and strategizing around safeguarding national infrastructure against attacks, but to this point the organization lacks a formal mechanism to share this data with enterprises.

In her visit, Anderson echoed a similar sentiment: Information sharing groups have good intent to share information on a real-time basis, but India lacks formal structure to enable such exchange.

Information-Sharing Challenge

The challenge, most practitioners say, begins with the lack of formal channels, as well as a dearth of best-practices outlining specific policy guidelines and frameworks for information-sharing. How much information should be shared, and by whom? How will this information be used?

"Security managers are wary of sharing information through informal channels, as they are not sure of the individuals accessing these channels and the information could be exploited," says Deodhar.

The irony, some say, is that attackers are quite successfully forming groups and sharing information on finding newer ways to attack Indian organizations, yet security leaders have failed to overcome their own information-sharing challenges and are ill-prepared to defend the attacks or keeping themselves abreast of the threats.

The Role of PPP

In the U.S., Anderson says the FS-ISAC - considered to be perhaps the world's premier information-sharing entity - has built its collaborative model by engaging financial services providers, commercial security firms, federal, state and local government agencies, law enforcement and other trusted resources, to quickly disseminate physical and cyber-threat alerts to member organizations.

To leverage this model in India, Deodhar says that as long as non-disclosure agreements are signed with a formal platform in place, a public-private partnership model will be of immense help in sharing information and defending against threats.

However, the mandate should be to share key information that is both accurate and timely. "This information also needs to be interpreted and applied correctly by a central team to create actionable intelligence for the industry," says Deodhar.

And Narayanan says this information-sharing model must be built upon a central foundation to coordinate the efforts.

"Since multiple organizations are involved in the government for dissemination of information on the critical infrastructure protection methods and cybersecurity incidents," he says, "there needs to be a common platform and robust framework that acts like a co-ordinating body in sharing information with cross-sectors."

About the Author

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;